Monitor Microsoft DNS Server log file
This simple Perl script analyzes the Microsoft DNS server log file and output the following informations :
- date
- time
- remote ip
- fqdn
Microsoft DNS log field description
The Microsoft DNS log file contains fields described below :
- 1 Date
- 2 Time
- 3 Thread ID
- 4 Context
- 5 Internal packet identifier
- 6 UDP/TCP indicator
- 7 Send/Receive indicator
- 8 Remote IP
- 9 Xid (hex)
- 10 Query/Response
- R = Response
- blank = Query
- 11 Opcode
- Q = Standard Query
- N = Notify
- U = Update
- ? = Unknown
- 12 [ Flags (hex)
- 13 Flags (char codes)
- A = Authoritative Answer
- T = Truncated Response
- D = Recursion Desired
- R = Recursion Available
- 14 ResponseCode ]
- 15 Question Type
- 16 Question Name
Perl requirement
To run this script, the Perl library File::Tail is required. You can install it by executing the command : cpan install File::Tail
Enable Microsoft DNS server debug logging
By default, log is disabled. To enable it, follow these steps :
- launch the DNS Server Management console : mmc dnsmgmt.msc
- right click on the DNS server name then click on Properties
- go to the “Debug Logging” tab
- set as described below
Mount the log folder
In this script, the log file is located in the folder “/mount/log”. The mount point is defined like this in my fstab:
//dnsserver/dns /mount/log cifs credentials=/root/.smbpasswddns,noatime,ro,noserverino,nounix 0 0
The script
use File::Tail; my $name="/mount/log/dns.log"; $file=File::Tail->new(name=>$name, maxinterval=>1, tail=>0); while (defined($line=$file->read)) { $line =~ s/ +/ /g; my @array = split / /, $line; my $date = $array[0]; my $time = $array[1]; my $remoteip = $array[7]; my $questionname = $array[-1]; $questionname =~ s/\((\w+)\)/\./g; print "$date\n"; print "$time\n"; print "$remoteip\n"; print "$questionname\n"; }
Monitor Microsoft DNS Server log file